Worth Stealing | Protect your E-commerce site

Hackers love e-commerce website, whether you’re a major retailer or the owner of an e-commerce site that processes only a handful of transactions. In fact, consider this somewhat sobering fact: 60% of cyber attacks target small or medium-sized businesses over larger corporations. The simple reason is that they’re usually easy targets. The data is normally worth stealing purely due to how easy it is to get. Don’t want your customer data available for download on dodgy chat rooms or being sold to the highest bidder? Read on for the best ways to protect your e-commerce site from cybercriminals.

Don’t have anything worth stealing

Hackers target websites to obtain sensitive data worth stealing, with credit and debit card details being at the top of the list. Several household names have fallen victim to such data breaches, including:

Home Depot, 2014 – the American retail chain had data from over 50 million customers stolen. This hack included credit card details, resulting in roughly USD $179 million in settlements.

Hilton Hotels, 2015 – considering the number of bookings this giant chain processes on a daily basis, it’s surprising they got hacked. But it happened, with credit card data stolen from dozens of their brands, including DoubleTree and Hampton Inn.

Update your code

Most business owners will either use a pre-packaged e-commerce solution or will hire a developer for a one-off job. The site will start off great, forming an unconquerable bastion with all WordPress security plugins (or modules if you’re running Drupal, you get the picture!) up-to-date.

But it usually all goes downhill from there. The website is essentially left to its own devices, with all requests for security updates ending up unopened and unread. And this is where things usually get ugly, as a large proportion of updates are a direct response to vulnerabilities that hackers have exposed. Avoid this problem by regularly updating your plugins; it usually takes little more than a couple of clicks, so no excuses!

Choose the right host

Not every host is created equal, which is a point that many business owners, unfortunately, learn the hard way. In addition to ensuring your code is up to scratch, it’s essential you keep your e-commerce solution running on a decent hosting server. Instead of shared hosting, opt for a securely dedicated provider. Pay particular attention to the inbuilt security solutions on the server and the backup options (should the worst happen!).

Think about this decision in terms of the following analogy. Would you run your physical business out of a cheap motel that’s overflowing with guests and where your customers won’t feel safe? The answer is a definite No. You’d rent a proper unit in the right district, providing an environment that encourages sales and keeps your business safe. Hosting works in precisely the same way. Don’t be cheap and buy adequate hosting from the get-go.

Use SSL

For some of you, this tip will result in a ‘well, duh!’ reaction. However, it’s surprising just how many e-commerce websites don’t use SSL to encrypt user data, especially that worth stealing. And of those that use SSL, it’s only a minority that force HTTPS across all instances.

In this case, our message is clear and straightforward: Use SSL. Enforce https.

SSL certificates are essential, period. They protect customer data via encryption, ensuring hackers can’t do anything with the intercepted information. Considering just how easy it is to implement using services such as letsencrypt.org (and it’s free!), it really should be one of the first tasks you complete before making your site available to customers.

Require proper passwords

Don’t trust your customers with their passwords. After all, the most common options in 2017 were 123456 and password (yes, the word ‘password’!). Nudge customers in the right direction by requiring them to use strong passwords as part of the sign-up process. Most e-commerce solutions will have an option for this, requesting the use of a minimum number of symbols, digits, and capital letters. When it comes to creating a strong password, the traditional advice still holds true:

The longer, the better. 12 characters should be the minimum.

Mix it up by using a variety of numbers, capital, and lower-case letters, as well as symbols.

Do not combine dictionary words. Don’t use words that can quickly be cycled through using a simple program.

Avoid basic substitutions. No, using a zero instead of an o is not a clever solution.

Penetration testing

Penetration testing, otherwise known as ‘ethical hacking,’ is a process in which your website undergoes a series of tests in order to identify and exploit any existing weaknesses. For example, attempts can be made to log-in to the back-end of your e-commerce solution, ‘stealing’ data.

Penetration testing is often confused with a vulnerability assessment. However, these are two crucial yet entirely distinct processes. The latter use vulnerability scanners to identify technical threats, while penetration testing qualifies the threat by actively attempting to exploit vulnerabilities. This not only clarifies any potential false positives but also lays bare the true extent of the problem.

The takeaway message

Dealing with hackers is mostly all about prevention. Remember, most are implementing pre-coded scripts en masse and are looking for the easiest victims. As data becomes more valuable and worth stealing to cybercriminals just like petty robbers opt for open doors and unsecured locks, all it takes is a little bit of simple preventative measures to scare off most would-be hackers.

David Burke is Export-Import Manager by the day and in free time a freelance writer and a passionate blogger who likes writing articles that cover business, tech and cybersecurity-related topics. He has written numerous articles and contributed to several other blogs. When he is not writing, he enjoys spending his free time outdoors with his family.